Dual Factor Authentication for PayPal

Jun 15, 2009, 9:47 PM -05:00

I pay for eBay purchases and, increasingly, purchases at scores of online vendors using PayPal. Despite using a complex password, given that my checking and credit card accounts are linked to my PayPal account, I was delighted to discover an additional security measure for the sites. PayPal has offered a Security Key Token (see picture) for some time. The token generates a one-time security code which is entered into the website after your username and password, providing true dual factor authentication (something you “know” (the username and password) and something you “have” (the token). The token is available for only $5 but it is just another bulge on my key chain and I don’t use PayPal often enough to lug the token around all the time.

I discovered an iPhone app from VeriSign that generates a one-time security code (just like the token). VIP Access, according to the VeriSign website, works with PayPal and eBay. After downloading and installing the app and searching all over the PayPal and eBay’s sites, I could never find a reference to VIP Access, let alone how to configure it to work with my profiles on those sites. [more]

However, in the course of trying to figure out how to use VIP Access with PayPal and eBay, I discovered you can use your mobile phone to receive a text message with a one-time security code. You simply login to PayPal as usual, go to your Profile, select PayPal Security Key (under Account Information), select Get security key and register your cell phone number. The site will then send you a text message with a code to activate the functionality.

After activation, you will be required to enter your username and password, click a button (Send SMS) which generates a text message with your one-time security code, then enter the security code within 30 seconds. Note there is a work around if you don’t have your cell phone (in the form of security questions).

I like this option because it provides additional security for my PayPal account without having to carry around a token on my key chain.

UPDATE: Shortly after this post, I decided to send VeriSign an e-mail about the apparent lack of compatibility between their iPhone app, VIP Access, and PayPal and eBay (see the second paragraph in Part One above). After hitting “Send”, I went back to the PayPal site for one more look-see.

Clicking on the “Get extra protection with a PayPal Security Key now” link, I was presented with three options: The PayPal Security Key hardware token, configuring your mobile phone to use text messaging (described above) and the VIP (VeriSign Identity Protection) token. I had seen the VIP token before and had even clicked on the link.

However, it appeared this was simply a VeriSign-branded hardware token, virtually identical to the PayPal-branded token. In order to activate the token, it asked for a serial number from the back of the token and two consecutive 6-digit codes generated by the token. Since I don’t have a physical token and e-mails to PayPal asking about the VIP Access iPhone app were fruitless, I thought I was out of luck.

However, I launched the VIP Access app on my iPhone and noted a “Credential ID” number in addition to the one-time Security Code (with its 30 second countdown clock). I entered the “Credential ID” number into the “Serial number” field on the PayPal website, entered the security code in the first 6-digit code field, waited for another code to be generated and entered it in the “Next 6-digit code” field and clicked “Activate”. Low and behold, it worked. So now, I can either use either the VIP Access iPhone app or have the PayPal site send me a text message containing the security code.

I also found a link on the PayPal site to eBay to configure my VIP “token” to work on eBay. Configuration was just as on the PayPal site (i.e. entering the “Credential ID” number in the “Serial number” field.